Tuesday, 2015-08-11

*** _cjones_ has quit IRC		00:04
*** miguelgrinberg has quit IRC		00:04
*** miguelgrinberg has joined #openstack-keystone		00:05
*** zzzeek has quit IRC		00:06
*** tsymanczyk has quit IRC		00:11
*** roxanaghe has quit IRC		00:17
*** shadower has quit IRC		00:23
*** shadower has joined #openstack-keystone		00:23
*** geoffarnold has quit IRC		00:23
*** bapalm has joined #openstack-keystone		00:24
*** bapalm has quit IRC		00:44
*** bapalm has joined #openstack-keystone		00:45
*** bapalm has quit IRC		00:46
*** bapalm has joined #openstack-keystone		00:46
*** jasonsb has joined #openstack-keystone		00:47
*** ankita_wagh has joined #openstack-keystone		00:47
*** stevemar has joined #openstack-keystone		00:51
*** ChanServ sets mode: +v stevemar		00:51
*** ankita_w_ has quit IRC		00:51
*** stevemar has quit IRC		00:51
*** stevemar_ has joined #openstack-keystone		00:51
*** ChanServ sets mode: +v stevemar_		00:51
*** gyee has quit IRC		00:53
*** nkinder has quit IRC		00:57
*** elmiko_ has joined #openstack-keystone		01:03
*** elmiko has quit IRC		01:06
*** piyanai has joined #openstack-keystone		01:11
*** elmiko_ has quit IRC		01:11
*** ankita_wagh has quit IRC		01:14
*** tobe_ has joined #openstack-keystone		01:18
*** elmiko has joined #openstack-keystone		01:20
*** bapalm has quit IRC		01:21
*** bapalm has joined #openstack-keystone		01:21
*** browne has quit IRC		01:25
*** bapalm has quit IRC		01:26
*** fangzhou has quit IRC		01:31
*** davechen has joined #openstack-keystone		01:31
*** piyanai has quit IRC		01:33
*** ankita_wagh has joined #openstack-keystone		01:35
*** mylu has joined #openstack-keystone		01:37
*** ankita_wagh has quit IRC		01:43
*** ankita_wagh has joined #openstack-keystone		01:43
*** adamh_000_ has joined #openstack-keystone		01:45
*** mylu has quit IRC		01:46
*** mylu has joined #openstack-keystone		01:47
*** elmiko_ has joined #openstack-keystone		01:48
*** piyanai has joined #openstack-keystone		01:50
*** adamh_000_ has quit IRC		01:50
*** elmiko_ has quit IRC		01:51
*** adamh_000_ has joined #openstack-keystone		01:51
*** elmiko has quit IRC		01:52
*** adamh_000__ has joined #openstack-keystone		01:58
*** jdandrea has quit IRC		02:00
*** adamh_000_ has quit IRC		02:01
*** adamh_000_ has joined #openstack-keystone		02:02
*** adamh_000__ has quit IRC		02:05
*** tobe_ has quit IRC		02:05
*** tobe_ has joined #openstack-keystone		02:06
*** ngupta has joined #openstack-keystone		02:07
*** ankita_w_ has joined #openstack-keystone		02:08
*** adamh_000__ has joined #openstack-keystone		02:09
openstackgerrit	David Stanek proposed openstack/python-keystoneclient: WIP: Adds HTTP caching support https://review.openstack.org/211396	02:10
*** ankita_wagh has quit IRC		02:12
*** adamh_000_ has quit IRC		02:13
*** bknudson has quit IRC		02:14
jamielennox	dstanek: interesting, i always envisioned people would just pass a requests.Session in that did this stuff for us for caching and didn't require a dependency on cachecontrol but i guess that messes up the TCPKeepAlive thing	02:16
jamielennox	particularly OSC was the main user i expected because CacheControl generally caches to a file from memory	02:16
*** piyanai has quit IRC		02:27
*** stevemar_ has quit IRC		02:29
*** woodster_ has quit IRC		02:30
*** stevemar has joined #openstack-keystone		02:30
*** ChanServ sets mode: +v stevemar		02:30
*** ngupta has quit IRC		02:40
*** browne has joined #openstack-keystone		02:41
*** ngupta has joined #openstack-keystone		02:44
*** adamh_000__ has quit IRC		02:46
*** tobe_ has quit IRC		02:47
*** tobe_ has joined #openstack-keystone		02:49
*** hakimo_ has joined #openstack-keystone		02:52
*** hakimo has quit IRC		02:54
*** ankita_w_ has quit IRC		03:01
*** mylu has quit IRC		03:05
*** lhcheng has quit IRC		03:09
*** richm has quit IRC		03:15
*** mylu has joined #openstack-keystone		03:16
*** david-lyle has quit IRC		03:21
*** ngupta has quit IRC		03:26
dstanek	jamielennox: haha, yeah i just responded on the review	03:31
jamielennox	dstanek: gah, i hate it when a capitalized name like that isn't actually a class but a function	03:34
*** mylu has quit IRC		03:34
*** phalmos has joined #openstack-keystone		03:35
dstanek	jamielennox: i understand in some cases where you don't have to care, but in this case it hides the fact that it's actually mucking with the adapters	03:35
jamielennox	right - it just means it works differently than i expected it would	03:36
*** phalmos has quit IRC		03:37
dstanek	jamielennox: that why i create a new funky adapter subclass	03:37
jamielennox	dstanek: yea, makes sense now	03:38
*** ayoung has quit IRC		03:44
*** lhcheng has joined #openstack-keystone		03:44
*** ChanServ sets mode: +v lhcheng		03:44
*** mylu has joined #openstack-keystone		03:51
*** mylu has quit IRC		04:01
*** jasondotstar has quit IRC		04:06
*** tobe_ has quit IRC		04:12
*** Ephur has quit IRC		04:12
*** tobe_ has joined #openstack-keystone		04:17
*** Nirupama has joined #openstack-keystone		04:24
*** jecarey has joined #openstack-keystone		04:31
*** david-lyle has joined #openstack-keystone		04:40
*** dsirrine has quit IRC		04:42
*** gildub has joined #openstack-keystone		04:44
*** dsirrine has joined #openstack-keystone		04:56
*** ankita_wagh has joined #openstack-keystone		04:58
*** ankita_wagh has quit IRC		04:58
*** ankita_wagh has joined #openstack-keystone		04:59
*** hrou has joined #openstack-keystone		05:06
*** dsirrine has quit IRC		05:12
*** dsirrine has joined #openstack-keystone		05:25
*** hrou has quit IRC		05:28
*** belmoreira has joined #openstack-keystone		05:43
*** jecarey_ has joined #openstack-keystone		05:46
*** jecarey has quit IRC		05:49
*** josecastroleon has joined #openstack-keystone		05:57
*** jecarey_ has quit IRC		06:04
*** ParsectiX has joined #openstack-keystone		06:24
openstackgerrit	guang-yee proposed openstack/keystonemiddleware: Enforce endpoint constraint https://review.openstack.org/177661	06:37
*** stevemar has quit IRC		07:10
*** stevemar has joined #openstack-keystone		07:11
*** ChanServ sets mode: +v stevemar		07:11
*** afazekas has joined #openstack-keystone		07:13
*** stevemar has quit IRC		07:13
*** ankita_wagh has quit IRC		07:20
*** jasondotstar has joined #openstack-keystone		07:44
breton	oh, nice passwords above.	07:45
*** gildub has quit IRC		07:46
*** lhcheng_ has joined #openstack-keystone		07:47
breton	are we planning to use keystoneauth1 in ksm? I am poking samleon's x.509 and see that certificate-related stuff is already in ksc and ksa. However, there is nothing certificate-related in ksm.	07:47
*** jasondotstar has quit IRC		07:48
*** fhubik has joined #openstack-keystone		07:50
*** fhubik is now known as fhubik_brb		07:50
*** lhcheng has quit IRC		07:50
*** browne has quit IRC		07:50
*** fhubik_brb is now known as fhubik		07:53
*** lhcheng_ has quit IRC		07:56
*** jistr has joined #openstack-keystone		08:04
openstackgerrit	Merged openstack/keystone: Improve List Role Assignments Filters Performance https://review.openstack.org/137202	08:05
*** boris-42 has quit IRC		08:10
*** stevemar has joined #openstack-keystone		08:13
*** ChanServ sets mode: +v stevemar		08:13
*** links has joined #openstack-keystone		08:13
*** eandersson has joined #openstack-keystone		08:16
*** stevemar has quit IRC		08:16
*** henrynash has joined #openstack-keystone		08:22
*** ChanServ sets mode: +v henrynash		08:22
*** lhcheng has joined #openstack-keystone		08:37
*** ChanServ sets mode: +v lhcheng		08:37
*** dikonoor has joined #openstack-keystone		08:49
*** katkapilatova has joined #openstack-keystone		08:49
*** dikonoo has joined #openstack-keystone		08:49
*** jasondotstar has joined #openstack-keystone		08:57
*** yottatsa has joined #openstack-keystone		09:03
openstackgerrit	henry-nash proposed openstack/keystone-specs: Clarify project hierarchy and parent usage within the API https://review.openstack.org/200624	09:11
*** fhubik is now known as fhubik_brb		09:21
*** lhcheng has quit IRC		09:23
*** fhubik_brb is now known as fhubik		09:24
*** marzif_ has joined #openstack-keystone		09:29
*** yottatsa has quit IRC		09:30
*** yottatsa has joined #openstack-keystone		09:31
*** yottatsa has quit IRC		09:32
*** yottatsa has joined #openstack-keystone		09:35
*** yottatsa has quit IRC		09:35
*** henrynash has quit IRC		09:46
*** fhubik is now known as fhubik_brb		09:52
*** davechen has quit IRC		09:57
*** fhubik_brb is now known as fhubik		10:14
*** stevemar has joined #openstack-keystone		10:15
*** ChanServ sets mode: +v stevemar		10:15
*** stevemar has quit IRC		10:18
*** fhubik is now known as fhubik_brb		10:24
*** fhubik_brb is now known as fhubik		10:26
*** fhubik is now known as fhubik_brb		10:26
*** henrynash has joined #openstack-keystone		10:38
*** ChanServ sets mode: +v henrynash		10:38
*** josecastroleon has quit IRC		10:38
openstackgerrit	henry-nash proposed openstack/keystone: Add support for data-driven backend assignment testing https://review.openstack.org/149178	10:39
openstackgerrit	henry-nash proposed openstack/keystone: Add support for effective & inherited mode in data driven tests https://review.openstack.org/151623	10:39
openstackgerrit	henry-nash proposed openstack/keystone: Add support for group membership to data driven assignment tests https://review.openstack.org/151962	10:40
openstackgerrit	henry-nash proposed openstack/keystone: Broaden domain-group testing of list_role_assignments https://review.openstack.org/154302	10:40
openstackgerrit	henry-nash proposed openstack/keystone: Test list_role_assignment in standard inheritance tests https://review.openstack.org/153897	10:41
openstackgerrit	henry-nash proposed openstack/keystone: Support project hierarchies in data driver tests https://review.openstack.org/154485	10:41
openstackgerrit	henry-nash proposed openstack/keystone: Remove manager-driver assignment metadata construct https://review.openstack.org/148995	10:46
*** fhubik_brb is now known as fhubik		11:31
*** dikonoor has quit IRC		11:31
*** piyanai has joined #openstack-keystone		11:35
*** belmoreira has quit IRC		11:35
*** henrynash has quit IRC		11:37
*** josecastroleon has joined #openstack-keystone		11:38
*** gordc has joined #openstack-keystone		11:39
*** tobe_ has quit IRC		11:50
*** tobe_ has joined #openstack-keystone		11:52
*** tobe_ has quit IRC		11:57
*** openstackgerrit_ has joined #openstack-keystone		12:03
*** yottatsa has joined #openstack-keystone		12:08
*** fhubik is now known as fhubik_brb		12:10
*** samueldmq has joined #openstack-keystone		12:11
samueldmq	morning	12:12
*** marzif__ has joined #openstack-keystone		12:14
*** marzif__ has quit IRC		12:16
*** marzif__ has joined #openstack-keystone		12:16
*** marzif_ has quit IRC		12:17
*** yottatsa has quit IRC		12:20
*** jecarey has joined #openstack-keystone		12:20
*** yottatsa has joined #openstack-keystone		12:24
*** bapalm has joined #openstack-keystone		12:26
*** bapalm has quit IRC		12:26
*** bapalm has joined #openstack-keystone		12:27
*** Nirupama has quit IRC		12:27
*** edmondsw has joined #openstack-keystone		12:33
*** claudiub has joined #openstack-keystone		12:37
claudiub	hello. any keystoneclient person around here?	12:39
claudiub	I have a bit of an issue with it: https://github.com/openstack/python-keystoneclient/blame/master/keystoneclient/session.py#L916	12:40
claudiub	socket.TCP_KEEPCNT doesn't exist in windows	12:40
claudiub	or TCP_KEEPINTVL	12:40
*** katkapilatova has left #openstack-keystone		12:42
*** bapalm_ has joined #openstack-keystone		12:45
breton	you could try doing something like on line 923	12:46
claudiub	breton: sure, but still deserves a bug report, IMO. doing it now.	12:47
*** links has quit IRC		12:48
*** bapalm has quit IRC		12:49
*** richm has joined #openstack-keystone		12:49
*** openstackgerrit_ has quit IRC		12:51
*** jsavak has joined #openstack-keystone		12:53
*** openstackgerrit_ has joined #openstack-keystone		12:57
*** elmiko has joined #openstack-keystone		13:05
*** marzif_ has joined #openstack-keystone		13:10
*** marzif_ has quit IRC		13:11
*** marzif__ has quit IRC		13:11
*** marzif_ has joined #openstack-keystone		13:12
*** petertr7_away is now known as petertr7		13:17
*** yottatsa has quit IRC		13:18
*** browne has joined #openstack-keystone		13:18
*** yottatsa has joined #openstack-keystone		13:20
*** nkinder has joined #openstack-keystone		13:20
*** yottatsa has quit IRC		13:21
*** yottatsa has joined #openstack-keystone		13:22
*** jecarey has quit IRC		13:24
*** yottatsa has quit IRC		13:25
*** yottatsa has joined #openstack-keystone		13:25
dstanek	claudiub: that's really interesting... have you created a bug?	13:29
*** ajayaa has joined #openstack-keystone		13:29
*** samueldmq has quit IRC		13:30
*** hrou has joined #openstack-keystone		13:32
*** ayoung has joined #openstack-keystone		13:34
*** ChanServ sets mode: +v ayoung		13:34
*** opilotte has joined #openstack-keystone		13:34
*** david-lyle has quit IRC		13:36
*** doug-fish has left #openstack-keystone		13:42
breton	dstanek: bug #1483696	13:42
openstack	bug 1483696 in python-keystoneclient "socket.TCP_KEEPCNT and socket.KEEPINTVL do not exist in windows" [Undecided,New] https://launchpad.net/bugs/1483696	13:42
*** jecarey has joined #openstack-keystone		13:44
*** fhubik_brb is now known as fhubik		13:49
*** edmondsw has quit IRC		13:51
lbragstad	marekd: around? I've added https://bugs.launchpad.net/keystone/+bug/1482701 to the list of agenda items on the meeting for today	13:54
openstack	Launchpad bug 1482701 in Keystone "Federation: user's name in rules not respected" [Medium,In progress] - Assigned to Marek Denis (marek-denis)	13:54
*** openstackgerrit_ has quit IRC		13:55
marekd	lbragstad: thanks.	13:55
marekd	lbragstad: so i tried to make DS work but i basically failed.	13:56
*** openstackgerrit_ has joined #openstack-keystone		13:56
*** afazekas has quit IRC		13:56
*** piyanai has quit IRC		13:58
claudiub	dstanek: hi. yeah. I started doing the fix. working on the unit test atm	13:59
*** r-daneel has joined #openstack-keystone		14:00
*** diazjf has joined #openstack-keystone		14:00
lbragstad	marekd: I saw the link in the mail	14:00
marekd	lbragstad: nah, i tried installing stuf that sits in /etc/shibboleth-ds/	14:01
*** ngupta has joined #openstack-keystone		14:01
lbragstad	marekd: what exactly did you try ?	14:01
lbragstad	just curious	14:01
marekd	lbragstad: make DS work	14:01
marekd	i once did it	14:01
marekd	to make sure it basically does what i think it does	14:01
marekd	it was failing for some reason, maybe self signed certs or whatever.	14:02
*** jsavak has quit IRC		14:02
marekd	anyway, i kind of like idea of subdomain in client's domain	14:02
marekd	this may nice	14:02
dstanek	claudiub: cool, you should assign the bug to yourself so people know that someone is working on it	14:02
lbragstad	marekd: so, openstack-dashboard.coke.com	14:03
marekd	lbragstad: yes	14:03
dstanek	marekd: it's really hard to get me to work	14:03
marekd	dstanek: ?	14:03
dstanek	marekd: bad (maybe just delayed joke) "so i tried to make DS work but i basically failed."	14:03
lbragstad	lol	14:03
lbragstad	"I keep assigning bugs to him but he's not doing anything!?	14:04
marekd	dstanek: lol, took me good few secs to understand what you mean	14:04
*** doug-fish has joined #openstack-keystone		14:05
*** jistr is now known as jistr\|mtg		14:10
*** bapalm_ has quit IRC		14:11
*** bapalm has joined #openstack-keystone		14:11
*** jecarey has quit IRC		14:11
*** ParsectiX has quit IRC		14:13
*** sigmavirus24_awa is now known as sigmavirus24		14:15
*** bapalm has quit IRC		14:15
*** bapalm has joined #openstack-keystone		14:15
*** stevemar has joined #openstack-keystone		14:16
*** ChanServ sets mode: +v stevemar		14:16
*** narengan has joined #openstack-keystone		14:16
*** bapalm has quit IRC		14:16
*** raildo has joined #openstack-keystone		14:17
*** bapalm has joined #openstack-keystone		14:17
*** openstackgerrit_ has quit IRC		14:17
*** narengan has quit IRC		14:18
*** openstackgerrit_ has joined #openstack-keystone		14:18
*** narengan has joined #openstack-keystone		14:19
*** jsavak has joined #openstack-keystone		14:19
*** stevemar has quit IRC		14:20
*** yottatsa has quit IRC		14:22
*** narengan has quit IRC		14:23
*** tellesnobrega has quit IRC		14:23
*** yottatsa has joined #openstack-keystone		14:24
*** tellesnobrega has joined #openstack-keystone		14:24
*** edmondsw has joined #openstack-keystone		14:24
*** tellesnobrega has quit IRC		14:25
*** tellesnobrega has joined #openstack-keystone		14:26
opilotte	i'll just leave this here... https://review.openstack.org/#/c/210581/	14:29
*** fhubik has quit IRC		14:29
*** openstackgerrit_ has quit IRC		14:31
*** yottatsa has quit IRC		14:37
*** stevemar has joined #openstack-keystone		14:38
*** ChanServ sets mode: +v stevemar		14:38
*** yottatsa has joined #openstack-keystone		14:39
*** tellesnobrega_ has joined #openstack-keystone		14:42
*** tellesnobrega_ has quit IRC		14:42
*** tellesnobrega_ has joined #openstack-keystone		14:42
*** jdandrea has joined #openstack-keystone		14:43
*** tellesnobrega_ has quit IRC		14:44
*** tellesnobrega_ has joined #openstack-keystone		14:45
*** jecarey has joined #openstack-keystone		14:46
*** piyanai has joined #openstack-keystone		14:47
*** Ephur has joined #openstack-keystone		14:47
*** tellesnobrega_ has quit IRC		14:48
*** ajayaa has quit IRC		14:48
*** tellesnobrega_ has joined #openstack-keystone		14:51
*** ajayaa has joined #openstack-keystone		14:52
*** Ephur has quit IRC		14:52
*** jistr\|mtg is now known as jistr		14:59
*** narengan has joined #openstack-keystone		15:01
*** tellesno` has joined #openstack-keystone		15:03
*** samueldmq has joined #openstack-keystone		15:03
*** zzzeek has joined #openstack-keystone		15:05
*** tellesnobrega has quit IRC		15:08
*** tellesno` has quit IRC		15:09
*** tellesnobrega has joined #openstack-keystone		15:10
*** tellesnobrega has quit IRC		15:13
*** tellesnobrega has joined #openstack-keystone		15:13
*** eandersson_ has joined #openstack-keystone		15:15
*** david-lyle has joined #openstack-keystone		15:15
openstackgerrit	Olivier Pilotte proposed openstack/keystone: allow Keystone to accept Group IDs from the IdP without any Domain reference https://review.openstack.org/210581	15:17
*** eandersson has quit IRC		15:18
*** narengan has quit IRC		15:25
*** narengan has joined #openstack-keystone		15:25
*** narengan_ has joined #openstack-keystone		15:26
*** bapalm has quit IRC		15:27
openstackgerrit	Boris Bobrov proposed openstack/keystone: Fix docstring in mapped plugin https://review.openstack.org/211630	15:28
*** bapalm has joined #openstack-keystone		15:28
*** josecastroleon has quit IRC		15:28
*** narengan has quit IRC		15:30
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone-specs: Support Multiple SQL Backends https://review.openstack.org/207482	15:34
*** yottatsa has quit IRC		15:36
*** lhcheng has joined #openstack-keystone		15:44
*** ChanServ sets mode: +v lhcheng		15:44
*** rudzha has joined #openstack-keystone		15:46
*** rudzha has left #openstack-keystone		15:47
*** woodster_ has joined #openstack-keystone		15:47
*** petertr7 is now known as petertr7_away		15:48
*** rm_work is now known as rm_work\|away		15:49
*** piyanai has quit IRC		15:49
*** geoffarnold has joined #openstack-keystone		15:49
*** geoffarnold has quit IRC		15:51
*** geoffarnold has joined #openstack-keystone		15:51
*** yottatsa has joined #openstack-keystone		15:53
rodrigods	here it comes...	15:56
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Creating tests for projects acting as domains https://review.openstack.org/211219	15:56
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Limit subtree and parents queries https://review.openstack.org/209132	15:56
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add is_domain field in Project Table https://review.openstack.org/157427	15:56
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add is_domain in token response https://review.openstack.org/197331	15:56
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Bye Bye Domain Table https://review.openstack.org/161854	15:56
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Honor domain operations in project table https://review.openstack.org/143763	15:56
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Change policy to comply with is_domain in token https://review.openstack.org/206063	15:56
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Remove domain table references https://review.openstack.org/165936	15:56
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Replicate domain info in projects table https://review.openstack.org/211170	15:56
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Change project name constraints https://review.openstack.org/158372	15:56
openstackgerrit	Rodrigo Duarte proposed openstack/keystone: Add is_domain parameter to get_project_by_name https://review.openstack.org/210600	15:56
*** piyanai has joined #openstack-keystone		15:58
*** yottatsa has quit IRC		16:00
*** jasondotstar has quit IRC		16:00
*** jistr has quit IRC		16:01
*** gyee has joined #openstack-keystone		16:03
*** ChanServ sets mode: +v gyee		16:03
*** pgbridge has quit IRC		16:06
*** yottatsa has joined #openstack-keystone		16:07
*** marzif_ has quit IRC		16:08
*** openstackgerrit_ has joined #openstack-keystone		16:08
*** geoffarnold has quit IRC		16:10
*** geoffarnold has joined #openstack-keystone		16:11
*** _cjones_ has joined #openstack-keystone		16:12
*** tellesnobrega_ has quit IRC		16:13
*** piyanai_ has joined #openstack-keystone		16:14
*** piyanai has quit IRC		16:17
*** piyanai_ is now known as piyanai		16:17
*** ankita_wagh has joined #openstack-keystone		16:19
*** jasondotstar has joined #openstack-keystone		16:20
*** ig0r_ has joined #openstack-keystone		16:20
*** mylu has joined #openstack-keystone		16:28
*** raildo__ has joined #openstack-keystone		16:29
*** raildo-afk has joined #openstack-keystone		16:32
*** raildo-afk has quit IRC		16:34
*** raildo-afk has joined #openstack-keystone		16:35
*** raildo__ has quit IRC		16:35
*** bapalm_ has joined #openstack-keystone		16:35
*** bapalm has quit IRC		16:39
*** htruta has quit IRC		16:41
*** htruta has joined #openstack-keystone		16:43
*** htruta has quit IRC		16:44
*** ig0r_ has quit IRC		16:48
*** jasonsb has quit IRC		16:49
*** jasonsb has joined #openstack-keystone		16:50
*** yottatsa has quit IRC		16:51
*** petertr7_away is now known as petertr7		16:53
*** raildo has quit IRC		16:53
*** roxanaghe has joined #openstack-keystone		16:53
*** bapalm_ has quit IRC		16:54
*** yottatsa has joined #openstack-keystone		16:54
*** jasonsb has quit IRC		16:54
*** bapalm has joined #openstack-keystone		16:54
*** raildo has joined #openstack-keystone		16:55
*** htruta has joined #openstack-keystone		16:55
*** bapalm_ has joined #openstack-keystone		16:55
*** tellesnobrega has quit IRC		16:56
*** ankita_wagh has quit IRC		16:56
*** tellesnobrega has joined #openstack-keystone		16:56
*** tellesnobrega has quit IRC		16:57
*** tellesnobrega has joined #openstack-keystone		16:57
*** piyanai has quit IRC		16:58
*** mylu has quit IRC		16:58
*** tellesnobrega has quit IRC		16:58
*** tellesnobrega has joined #openstack-keystone		16:59
*** browne has quit IRC		16:59
*** bapalm has quit IRC		16:59
*** mylu has joined #openstack-keystone		16:59
*** bapalm_ has quit IRC		17:00
*** tellesnobrega has quit IRC		17:01
*** narengan_ has quit IRC		17:01
*** tellesnobrega has joined #openstack-keystone		17:01
*** narengan has joined #openstack-keystone		17:02
*** piyanai has joined #openstack-keystone		17:02
*** ajayaa has quit IRC		17:04
gyee	dolphm, your patch actually fix two critical issues, https://review.openstack.org/#/c/208069/, do you want to update the commit msg or you want me to do it	17:06
gyee	I can go ahead and approve it after the update	17:06
*** narengan has quit IRC		17:06
*** henrynash has joined #openstack-keystone		17:16
*** ChanServ sets mode: +v henrynash		17:16
*** piyanai has quit IRC		17:20
*** raildo has quit IRC		17:21
*** mylu has quit IRC		17:25
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Create Cached Policy Table https://review.openstack.org/211679	17:25
*** piyanai has joined #openstack-keystone		17:26
*** tqtran has joined #openstack-keystone		17:27
*** raildo-afk is now known as raildo		17:27
*** piyanai has quit IRC		17:27
*** raildo is now known as raildo-afk		17:28
*** ankita_wagh has joined #openstack-keystone		17:28
*** raildo has joined #openstack-keystone		17:29
*** raildo has quit IRC		17:29
*** yottatsa has quit IRC		17:31
openstackgerrit	Lance Bragstad proposed openstack/keystone: Update endpoint filter documentation https://review.openstack.org/211681	17:32
*** raildo-afk is now known as raildo		17:32
*** boris-42 has joined #openstack-keystone		17:32
*** jasonsb has joined #openstack-keystone		17:33
*** yottatsa has joined #openstack-keystone		17:34
openstackgerrit	Claudiu Belu proposed openstack/python-keystoneclient: Fixes missing socket attribute error during init_poolmanager https://review.openstack.org/211686	17:35
*** piyanai has joined #openstack-keystone		17:36
*** ayoung has quit IRC		17:37
lhcheng	dolphm: if we add the region filter to List Endpoints, I have to do create a bp/spec too right? same thing that raildo did last week	17:37
lhcheng	dolphm: related to https://bugs.launchpad.net/keystone/+bug/1482772	17:38
openstack	Launchpad bug 1482772 in python-openstackclient "Region filtering for endpoints does not work" [Undecided,New] - Assigned to Lin Hua Cheng (lin-hua-cheng)	17:38
jamielennox	sigmavirus24: bug #1483696	17:38
openstack	bug 1483696 in python-keystoneclient "socket.TCP_KEEPCNT and socket.KEEPINTVL do not exist in windows" [Medium,In progress] https://launchpad.net/bugs/1483696 - Assigned to Claudiu Belu (cbelu)	17:38
lhcheng	jamielennox: Just saw your presentation on pyconau, I've reported the horizon page issue to mrunge	17:38
jamielennox	lhcheng: i think it's a rhel thing	17:39
lhcheng	jamielennox: the bug is on the red hat customization	17:39
jamielennox	lhcheng: it always seemed to work on upstream horizon	17:39
*** browne has joined #openstack-keystone		17:39
lhcheng	jamielennox: yup, I think mrunge maintains the horizon-rhel for you guys	17:39
jamielennox	lhcheng: yep, he does, i reported it internally i just haven't chased him to see if he's actually seen the bug	17:40
raildo	lhcheng: it's very similiar to my case...	17:40
lhcheng	jamielennox: anyway, I gave him a headsup :)	17:40
jamielennox	lhcheng: thanks	17:41
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Centralized Policies Distribution Mechanism https://review.openstack.org/209695	17:41
*** bknudson has joined #openstack-keystone		17:47
*** ChanServ sets mode: +v bknudson		17:47
*** harlowja has quit IRC		17:51
openstackgerrit	David Stanek proposed openstack/keystone: WIP: please don't review me https://review.openstack.org/211693	17:53
*** eandersson_ has quit IRC		17:54
*** harlowja has joined #openstack-keystone		17:54
* morgan_503 lurks in the corner		17:55
stevemar	morgan_503: i finally got the joke	17:56
stevemar	503, unavailable	17:56
stevemar	ha	17:56
*** mylu has joined #openstack-keystone		17:56
morgan_503	stevemar: hehe	17:56
*** bapalm has joined #openstack-keystone		17:56
raildo	stevemar: thanks for explain! I didn't get	17:57
morgan_503	/nick morgan_404	17:57
morgan_503	:P	17:57
morgan_503	or /nick morgan_410	17:58
morgan_503	there we go.	17:58
* dstanek is trying to update the meeting wiki...quickly..quickly...		17:58
*** jsavak has quit IRC		17:58
morgan_503	dstanek: hurrrrrrrrrrrrrrrrrrrry	17:59
morgan_503	#startmeeting Keystone	17:59
openstack	Meeting started Tue Aug 11 17:59:51 2015 UTC and is due to finish in 60 minutes. The chair is morgan_503. Information about MeetBot at http://wiki.debian.org/MeetBot.	17:59
openstack	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	17:59
openstack	The meeting name has been set to 'keystone'	17:59
morgan_503	Agenda: https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting	18:00
morgan_503	#link https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting	18:00
*** jsavak has joined #openstack-keystone		18:00
morgan_503	oops	18:00
rodrigods	wrong channel morgan_503 ?	18:00
morgan_503	#endmeeting	18:00
openstack	Meeting ended Tue Aug 11 18:00:34 2015 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)	18:00
openstack	Minutes: http://eavesdrop.openstack.org/meetings/keystone/2015/keystone.2015-08-11-17.59.html	18:00
openstack	Minutes (text): http://eavesdrop.openstack.org/meetings/keystone/2015/keystone.2015-08-11-17.59.txt	18:00
openstack	Log: http://eavesdrop.openstack.org/meetings/keystone/2015/keystone.2015-08-11-17.59.log.html	18:00
*** mylu has quit IRC		18:00
*** bapalm has quit IRC		18:01
*** ayoung has joined #openstack-keystone		18:01
*** ChanServ sets mode: +v ayoung		18:01
*** mylu has joined #openstack-keystone		18:02
*** htruta_ has joined #openstack-keystone		18:02
*** mylu has quit IRC		18:03
*** mylu has joined #openstack-keystone		18:04
*** bapalm has joined #openstack-keystone		18:05
*** openstackgerrit_ has quit IRC		18:06
*** dikonoo has quit IRC		18:10
odyssey4me	interesting - you can use meetbot in the normal channel?	18:11
odyssey4me	that's handy	18:11
*** phalmos has joined #openstack-keystone		18:11
sigmavirus24	jamielennox: thanks for the pointer	18:12
sigmavirus24	odyssey4me: you can	18:12
openstackgerrit	Merged openstack/keystone-specs: Centralized Policies Distribution Mechanism https://review.openstack.org/197980	18:13
*** mylu has quit IRC		18:15
*** mylu has joined #openstack-keystone		18:16
*** ig0r_ has joined #openstack-keystone		18:17
*** ig0r_ has quit IRC		18:18
*** pgbridge has joined #openstack-keystone		18:19
*** mylu has quit IRC		18:22
*** geoffarnold has quit IRC		18:22
*** htruta_ has quit IRC		18:24
sigmavirus24	jamielennox: https://review.openstack.org/#/c/211686/ I added a review asking that they use the proper Windows settings for that bug	18:24
*** josecastroleon has joined #openstack-keystone		18:24
*** tjcocozz has joined #openstack-keystone		18:25
rodrigods	henrynash, can you check my reply here? https://review.openstack.org/#/c/157427/91/keystone/tests/unit/test_v3_assignment.py	18:28
rodrigods	also, in the commit message	18:28
*** ig0r_ has joined #openstack-keystone		18:28
*** tqtran_ has joined #openstack-keystone		18:32
*** diazjf has quit IRC		18:34
*** tqtran has quit IRC		18:35
*** geoffarnold has joined #openstack-keystone		18:37
samueldmq	one spec merged, there is one left	18:37
samueldmq	https://review.openstack.org/#/c/134655/	18:38
*** geoffarnold is now known as geoffarnoldX		18:38
ayoung	dstanek, , jamielennox, I think the way the cachine should work for my case is session.disable_cache....make calls....session.enable_cache....	18:38
samueldmq	any core want to approve it ? dstanek henrynash gyee lhcheng ^	18:38
dstanek	samueldmq: it needs to get into liberty!	18:39
*** narengan has joined #openstack-keystone		18:41
dstanek	ayoung: maybe we could add a kwarg like ignore_cache to the calls...i'll have to experiment a little to see what APIs i like	18:41
ayoung	dstanek, ++	18:41
*** jsavak has quit IRC		18:41
lhcheng	morgan_503: I added one item in the meeting agenda, should take 2 min. or we could also move it to next week if we don't have enough time.	18:42
morgan_503	possibly next week possibly this. lets see	18:42
*** jsavak has joined #openstack-keystone		18:42
samueldmq	dstanek, yes, as it already have +2 and the other merged already, I am gonna to propose moving both in a follow-on pathc	18:43
samueldmq	dstanek, if that makes sense	18:43
lhcheng	morgan_503: sure, np	18:43
*** geoffarnoldX is now known as geoffarnold		18:44
*** annasort has joined #openstack-keystone		18:45
breton	gyee: providing a token with x509 will require an auth plugin in keystone, won't it?	18:48
morgan_503	lhcheng: that looks like a simple bug	18:48
morgan_503	lhcheng: i'd say just fix it	18:48
morgan_503	btw	18:48
gyee	breton, yes, but its like a no-op plugin	18:48
*** diazjf has joined #openstack-keystone		18:49
breton	gyee: like mapped.py?	18:49
gyee	breton, no	18:49
gyee	just use the OS-FEDERATION path	18:49
lhcheng	morgan_503: okay, wanted to check-in if I should open a bp/spec like raildo did last week - since it requires api change to support new filter	18:49
morgan_503	nah	18:49
morgan_503	it's a bug	18:49
morgan_503	make it a no-spec question for next week	18:50
morgan_503	but i think it's a bug	18:50
morgan_503	slash oversight	18:50
lhcheng	morgan_503: cool :)	18:50
lhcheng	morgan_503: sounds good	18:50
breton	gyee: can issue_token fetch domain-id from auth context?	18:50
gyee	breton, yes, I think the req env is passed down as part of context	18:52
gyee	I'll need to double check	18:52
*** piyanai has quit IRC		18:52
*** yottatsa has quit IRC		18:53
gyee	breton, yes, looks like we have req env in the context	18:54
*** geoffarnold has quit IRC		18:54
*** rm_work\|away is now known as rm_work		18:54
*** josecastroleon has quit IRC		18:55
*** geoffarnold has joined #openstack-keystone		18:55
*** piyanai has joined #openstack-keystone		18:55
breton	validationerror happens in AuthInfo.create now	18:57
*** ig0r_ has quit IRC		18:59
jamielennox	marekd: here?	19:00
*** haneef has joined #openstack-keystone		19:00
lbragstad	dolphm: dstanek ^	19:01
lbragstad	jamielennox: dolphm dstanek marekd we still want to meet?	19:01
dstanek	sure	19:01
* lbragstad is free		19:01
gyee	ayoung, jamielennox, can I get some love on this one? https://review.openstack.org/#/c/177661/	19:01
jamielennox	lbragstad: yep	19:01
samueldmq	gyee, I will look at it as well	19:02
*** geoffarnold has quit IRC		19:02
gyee	samueldmq, thanks!	19:02
jamielennox	so the best idea i have for IDP listing is essentially add a tag to IDPs	19:02
*** jsavak has quit IRC		19:02
*** yottatsa has joined #openstack-keystone		19:02
jamielennox	when you create an IDP or maybe protocol you say tag=coke.com	19:02
samueldmq	gyee, and if have time, could you approve this one ? as result of the meeting vote https://review.openstack.org/#/c/134655/	19:02
rodrigods	henrynash, too much stuff to remember in reseller, replied you again	19:02
*** samleon has joined #openstack-keystone		19:03
jamielennox	then from a horizon instance listing IDPs you do the list with ?tags=coke.com	19:03
gyee	samueldmq, sure, but do you want to move it out of backlog dir?	19:03
jamielennox	so that only IDPs relevant to that instance are going to show up	19:03
lbragstad	jamielennox: how does horizon know to look for coke?	19:03
jamielennox	i think ayoung's public/private is not fine grained enough for that	19:03
samueldmq	gyee, I am going to propose a follow-on cahnge to move this one and hte other which merged already	19:03
jamielennox	lbragstad: i was thinking hardcoded	19:03
jamielennox	ah, like in local_settings	19:03
samueldmq	gyee, so we move both together, if that makes sense, and we don't loose the +2s there	19:03
*** geoffarnold has joined #openstack-keystone		19:03
*** ayoung has quit IRC		19:04
gyee	sameuldmq, k, done	19:04
lbragstad	so, the user goes to horizon and they say "I'm a part of coke and I want to federate against coke's IDP"	19:04
jamielennox	when you look at whitelabelling something is it typically a new horizon instance or just an interface?	19:04
*** ig0r_ has joined #openstack-keystone		19:04
samueldmq	gyee, thanks	19:04
*** bapalm has quit IRC		19:04
samueldmq	gyee, one of the possible checks in endpoint constraint is by endpoint_id	19:04
gyee	samueldmq, yes, its governed by a policy rule	19:05
samueldmq	gyee, which is the same config we use for the policy fetch	19:05
gyee	so it can be anything	19:05
*** bapalm has joined #openstack-keystone		19:05
*** jsavak has joined #openstack-keystone		19:05
samueldmq	gyee, ok so that's far more generic than the endpoint_id config we need for fetching policy	19:05
gyee	samueldmq, yes, its using the service policy file	19:05
jamielennox	lbragstad: you could set it from ENV variable passed down from apache, so in the <VirtualEnv> EnvVar IDP_TAG coke.com just for that interface	19:05
jamielennox	i don't really know or mind on that just i would expect you to want to share some as well	19:06
samueldmq	gyee, yeah got it, we add a check in there	19:06
samueldmq	gyee, as a policy rule	19:06
jamielennox	like coke.com sees corp login and possibly a google login that another customer would see	19:06
dstanek	jamielennox: lbragstad: rights, having a separate URL for the customer is the only way i can think of to make it work	19:06
gyee	samueldmq, yeah, we made it generic so it can filter on anything from the catalog	19:06
*** petertr7 is now known as petertr7_away		19:07
lbragstad	dstanek: that would be the only way to make it work without exposing all idps to the user?	19:07
jamielennox	dstanek: is that unreasonable in the situation where someone is giving you access to a corp saml interface?	19:07
samueldmq	gyee, makes sense, and can be as tight as deployers want it to be	19:07
*** bapalm_ has joined #openstack-keystone		19:08
openstackgerrit	Merged openstack/keystone-specs: Centralized Policies Fetch and Cache https://review.openstack.org/134655	19:08
dstanek	lbragstad: yes, unless you liked my bad idea :-)	19:08
dstanek	jamielennox: not to me	19:08
jamielennox	lbragstad: it's the only way i can think of it working when you want to limit what is available in a drop down like that	19:08
jamielennox	where you are customizing a page based on URL	19:09
*** bapalm has quit IRC		19:09
jamielennox	dstanek: so what would be cool there is if you could seperate the horizon login from the rest of the horizon app	19:09
*** tjcocozz has quit IRC		19:09
jamielennox	i mean beyond login there's a good white-labelling of horizon opportunity for you guys there	19:10
lbragstad	jamielennox: so the user would hit the login page firs t	19:10
*** yottatsa has quit IRC		19:10
dstanek	lbragstad: they would hit a branded login page	19:10
jamielennox	but so that you don't have to operate a complete horizon instance per customer, just the login page and then redirect back over to a common horizon instance	19:10
lbragstad	dstanek: and that would be something that coke manages	19:10
dstanek	lbragstad: or their cloud provider	19:11
jamielennox	lbragstad: in whatever way people currently skin horizon	19:11
*** petertr7_away is now known as petertr7		19:11
dstanek	it's just that the user has to know something about what IdP to use and having them know their companies banded login makes the most sense	19:11
lbragstad	ok, so from there they shouldn't need to specify their idp because we should already know it based on where they are coming from	19:11
dstanek	yes	19:12
jamielennox	lbragstad: we could probably bounce from horizon direct to idp if the list is 1 entry long	19:12
jamielennox	but this is where i don't really know if dynamic listing matters	19:12
jamielennox	for some people (CERN) sure there will be a lot of IDPs coming and going	19:13
jamielennox	for a public cloud you would expect one or maybe two that don't really change much	19:13
lbragstad	so Horizon would understand that some user came from customer-dashboard.coke.com and horizon should understand that it needs to make /v3/OS-FEDERATION/identity_providers/coke/protocol/saml2/websso	19:14
*** geoffarnold has quit IRC		19:14
*** mestery_ has joined #openstack-keystone		19:14
lbragstad	jamielennox: and that call doesn't exist yet because that is what was proposed by your spec	19:14
gyee	jamielennox, lbragstad, dstanek, you guys see how google doc works?	19:14
jamielennox	gyee: for login?	19:15
gyee	yes	19:15
jamielennox	gyee: yea, google uses the @domain as part of the login	19:15
gyee	you auth with your normal credential, if it requires your corp cred	19:15
jamielennox	which would be awesome but works for them because they tie it to an actual @domain	19:15
gyee	it will forward you back to your corp to auth	19:15
jamielennox	it could work for a provider who decided that as a customer you got a domain that was strictly named after your actual web domain	19:16
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone-specs: Moves Dynamic Policy specs to Liberty dir https://review.openstack.org/211720	19:16
samueldmq	gyee, dstanek ^	19:16
gyee	jamielennox, yes, we can't be having a drop down exposing all the IdPs	19:16
jamielennox	lbragstad: so really the only thing i'm trying to propose in that spec is to skip the shibboleth discovery and let horizon do that	19:16
gyee	our security team will never let us do that	19:17
gyee	you'll need to find out which user is authenticating, i.e. domain	19:17
*** mestery has quit IRC		19:17
gyee	then use the appropriate auth mechanism configured for that user	19:17
jamielennox	chadwick had an interesting note in an email thread that he thought you could direct from horizon to the idp login and have that redirect back to keystone	19:17
jamielennox	but my understanding was that couldn't happen	19:17
jamielennox	that we had to have keystone initiate that exchange	19:17
lbragstad	yeah, i'm not sure how that would work	19:18
dstanek	gyee: that is similar to my crappy idea	19:18
jamielennox	i replied to that thread but he hasn't answered that bit	19:18
gyee	dstanek, that's not a crappy idea	19:18
lbragstad	jamielennox: in that case, we would have to have the path location aliased in apache	19:18
lbragstad	right?	19:18
gyee	that's now it works in the "real world"	19:18
*** yottatsa has joined #openstack-keystone		19:18
jamielennox	lbragstad: which path?	19:19
dstanek	The other, much less ideal, thing we could do it a 2 step login process similar to what banks do. On the first page a user types in their username/email and when they submit a lookup happens to find out what IdP to use based on what domain they are defined in. Hopefully you could redirect to the IdP in such a way that the username/email is prepopulated, but I'd bet that doesn't work for everything.	19:19
dstanek	gyee: ^ from an email	19:19
lbragstad	jamielennox: /v3/OS-FEDERATION/identity_providers/{idp_ip}/protocol/{protocol_id}/websso	19:19
jamielennox	lbragstad: oh, yea you would need to set that up for each new idp	19:19
*** mestery_ is now known as mestery		19:19
jamielennox	but i'm not sure if that's happening anyway because we use /v3/OS-FEDERATION/identity_providers/{idp_ip}/protocol/{protocol_id}/auth for CLI login	19:20
gyee	dstanek, I don't see how we can really avoid 2 step login, unless we have a distinct URL for each customer	19:20
lbragstad	yeah, doesn't that pass to federated_sso_auth()?	19:20
jamielennox	i don't know how hard it is to reboot apache in a live env like that	19:20
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone-specs: Moves Dynamic Policy specs to Liberty dir https://review.openstack.org/211720	19:20
dstanek	gyee: exactly :-)	19:20
gyee	for cloud hosting, that may be the case	19:20
gyee	for public cloud, we have to know the domain	19:21
jamielennox	gyee: that's exactly where we are, a per-url login	19:21
lbragstad	jamielennox: https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L299	19:21
jamielennox	lbragstad: so most of that is reusable	19:21
jamielennox	well some	19:22
jamielennox	you don't need https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L300-L313	19:22
jamielennox	because that's finding the idp url from the assertion and looking up remote_id on idps to figure out where the response came back from	19:22
lbragstad	jamielennox: oh, looks like that is this call - https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/routers.py#L80-L81	19:22
jamielennox	you would know this based on url	19:22
gyee	jamielennox, we sorta do some tricks at Apache side for Federation anyway	19:22
lbragstad	right,	19:22
lbragstad	jamielennox: so, that's the part we would be addressing with your spec, right?	19:23
jamielennox	gyee: you have to do apache tricks	19:23
gyee	perhaps have a header to dictate which IdP to forward to	19:23
jamielennox	lbragstad: right	19:23
jamielennox	gyee: but then how do you handle the header?	19:23
gyee	jamielennox, there's all kinds of stuff you can do with it	19:23
gyee	like redirect based on client DNS?	19:23
jamielennox	you would need a shiboleth discovery page that looks for the header, looks up the associated URL and forwards you	19:23
gyee	client IP, region, whatever	19:23
*** bapalm_ has quit IRC		19:24
*** bapalm has joined #openstack-keystone		19:24
*** alejandrito has joined #openstack-keystone		19:24
gyee	if you present a list to the end users, there's a very good chance they'll pick the wrong one	19:25
*** bapalm has quit IRC		19:25
lbragstad	gyee: a list of idps?	19:26
gyee	they have to know prior to authenticating, just like auth_url	19:26
*** bapalm has joined #openstack-keystone		19:26
gyee	lbragstad, yes	19:26
lbragstad	gyee: that and there is also security concerns, like you said	19:26
gyee	exactly	19:26
jamielennox	if you use the current global /websso route do you need to reboot apache for a new IDP?	19:26
jamielennox	you must right, you have to tell apache how to validate the assertion	19:27
lbragstad	jamielennox: yes, I believe so	19:27
lbragstad	so every addition of a new idp, will require a bounce of apache	19:27
gyee	how often do you add a new IdP?	19:27
gyee	once every 3 blue moons?	19:27
jamielennox	gyee: apparently it's a thing	19:27
jamielennox	but mainly CERN/kent as i understand it	19:28
*** geoffarnold has joined #openstack-keystone		19:28
jamielennox	but i expect even offering this in a public cloud situation it's going to be rare	19:29
gyee	wow, so their drop down list occupied the whole screeen then? :)	19:29
lbragstad	it's a big list	19:29
jamielennox	and it's going to be a support ticket that's going to take a few days	19:29
jamielennox	gyee: openstack.cern.ch	19:30
*** piyanai has quit IRC		19:30
*** bapalm has quit IRC		19:31
gyee	k man, I have to drop off for an hour or so, ya'll have fun :)	19:31
jamielennox	i don't know where the university one is	19:31
*** gyee has quit IRC		19:31
*** bapalm has joined #openstack-keystone		19:31
lbragstad	jamielennox: dstanek so, what do you guys think?	19:31
dstanek	lbragstad: hostess cupcakes are better than oreos	19:32
samueldmq	is Keystone FFE 3rd September?	19:32
jamielennox	so my main thing is i want to do discovery via horizon and not shib cause then we've got to do it again for mellon, for oidc and figure something out for kerberos	19:32
lbragstad	dstanek: fact, I can't argue with that	19:33
jamielennox	dstanek: i've got no idea	19:33
*** bapalm has quit IRC		19:33
jamielennox	if there's another way to make that happen i'm keen but i haven't found one	19:33
dstanek	jamielennox: i've not read the discovery spec yet, just the Oracle article.	19:34
*** bapalm has joined #openstack-keystone		19:34
lbragstad	what about the idp certs/metadata,	19:34
jamielennox	dstanek: i don't know if that means it's handled the same way for all implementations	19:34
lbragstad	that wouldn't require a change to apache (or bouncing apache) if the IdP gives a url to fetch metadata from, right?	19:34
jamielennox	lbragstad: i think you need that anyway	19:35
dstanek	lbragstad: yep, at least for now	19:35
lbragstad	jamielennox: need what? the certs?	19:35
jamielennox	sorry, misread	19:35
lbragstad	s/certs/metadata/	19:35
lbragstad	we have a way to give shib a url to fetch metadata,	19:35
jamielennox	at runtime? nice	19:36
lbragstad	so as long as that doesn't change, we shouldn't have to bounce apache if the IdP certs change	19:36
lbragstad	jamielennox: https://github.com/lbragstad/keystone-deploy/blob/federation/playbooks/roles/service_provider/templates/shibboleth2.xml#L11	19:36
*** ankita_wagh has quit IRC		19:37
*** gordc has quit IRC		19:37
lbragstad	but if shib only fetches metadata on start up, then we might need to bounce shib in order to get it to grab new metadata	19:37
*** jsavak has quit IRC		19:38
jamielennox	does keystone support that /saml2/metadata or is that yours?	19:38
stevemar	it does	19:38
* jamielennox needs to read that		19:38
*** bapalm has quit IRC		19:38
dstanek	lbragstad: https://wiki.shibboleth.net/confluence/display/SHIB2/IdPMetadataProvider#IdPMetadataProvider-AboutReloadingMetadataProviders	19:38
*** jsavak has joined #openstack-keystone		19:39
jamielennox	oh, i thought that was just for K2K?	19:39
lbragstad	dstanek: oh, nice.	19:39
dstanek	it's for any IdP	19:39
lbragstad	dstanek: so you can tell shib to get metadata periodically	19:40
*** phalmos has quit IRC		19:40
dstanek	lbragstad: it's automatic based on cache headers	19:41
*** bapalm has joined #openstack-keystone		19:41
jamielennox	dstanek: it still looks to me like /metadata is the assertion for using keystone as an IDP, not how to fetch data about IDPs configured in keystone	19:41
lbragstad	dstanek: awesome, so we shouldn't have to kick shib because some idp changed their metadata	19:41
jamielennox	based on https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3-os-federation-ext.rst#retrieve-metadata-properties	19:41
dstanek	jamielennox: that's exactly what that is - it's an IdP's metadata	19:42
lbragstad	dstanek: so, we are back to only bouncing apache when we add new IdPs	19:42
dstanek	you will have to restart to add/remove IdPs	19:42
*** gordc has joined #openstack-keystone		19:42
dstanek	lbragstad: yes, for now. i think someone is working on that from Redhat	19:42
dstanek	well, at least for mellon	19:42
jamielennox	yea, but not for shib	19:42
jamielennox	dstanek: so based on the code you could use it for anything https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L502	19:43
*** yottatsa has quit IRC		19:44
jamielennox	which makes it a fairly cool hack that you'd be able to list all your remote IDPs data in their	19:44
*** browne1 has joined #openstack-keystone		19:44
jamielennox	but i think the intent is for that to serve the saml2 metadata for keystone when using k2k	19:44
stevemar	jamielennox: right, its only supposed to be for k2k	19:45
dstanek	jamielennox: that class is just what implements the /metadata for k2k. the shib directive is for all of federation	19:45
openstackgerrit	Merged openstack/keystone: Fix docstring in mapped plugin https://review.openstack.org/211630	19:46
*** browne has quit IRC		19:47
*** ayoung has joined #openstack-keystone		19:47
*** ChanServ sets mode: +v ayoung		19:47
jamielennox	oh, i may have misread https://github.com/lbragstad/keystone-deploy/blob/federation/playbooks/roles/service_provider/templates/shibboleth2.xml#L11	19:48
dstanek	jamielennox: that's lbragstad's template for doing k2k	19:48
jamielennox	that's setting up keystone as an idp not as a sp?	19:48
jamielennox	ok, right, misunderstood what was happening there	19:48
openstackgerrit	Merged openstack/keystone-specs: Moves Dynamic Policy specs to Liberty dir https://review.openstack.org/211720	19:49
dstanek	jamielennox: yeah, that's configuring a Keystone as an IdP	19:50
*** bapalm has quit IRC		19:51
*** bapalm has joined #openstack-keystone		19:51
jamielennox	lbragstad: looking at that task, out of interest, how does shib-keygen work if you have HA keystones? do you need to copy around private keys?	19:51
*** yottatsa has joined #openstack-keystone		19:51
*** yottatsa has quit IRC		19:52
*** piyanai has joined #openstack-keystone		19:54
*** bapalm has quit IRC		19:55
*** bapalm has joined #openstack-keystone		19:55
openstackgerrit	Corey Bryant proposed openstack/python-keystoneclient: Iterate over copy of sys.modules keys in Python2/3 https://review.openstack.org/211731	19:58
lbragstad	jamielennox: I'm not sure,	19:58
lbragstad	jamielennox: I didn't get that far with ansible	19:58
lbragstad	and federated setups	19:58
*** ig0r_ has quit IRC		19:58
jamielennox	lbragstad: no worries, i just saw it and was wondering if that worked - i assume not	19:59
jamielennox	i've been trying to figure out the "correct" way to do secrets in ansible and i'm still not sure	19:59
*** bapalm has quit IRC		20:01
lbragstad	jamielennox: so we've hammered out at least one option and that is 1.) user goes to customer specific login page 2.) customer specific login page goes to horizon 3.) horizon figures out which customer idp to use 4.) horizon calls /v3/OS-FEDERATION/identity_providers/{idp_ip}/protocol/{protocol_id}/websso based on the idp id	20:01
*** bapalm has joined #openstack-keystone		20:01
*** hrou has quit IRC		20:01
lbragstad	jamielennox: and that solution will require a restart/reload of apache and mod_shib every time you add a new IdP do you deployment	20:02
jamielennox	yep	20:03
lbragstad	jamielennox: so, based on that, do we want to move forward with an SPFE?	20:04
*** bapalm_ has joined #openstack-keystone		20:04
*** opilotte has quit IRC		20:05
*** opilotte has joined #openstack-keystone		20:05
*** bapalm has quit IRC		20:05
*** ig0r_ has joined #openstack-keystone		20:08
*** claudiub has quit IRC		20:11
*** mylu has joined #openstack-keystone		20:13
*** geoffarnold has quit IRC		20:15
*** samueldmq has quit IRC		20:21
*** petertr7 is now known as petertr7_away		20:22
jamielennox	bknudson: can you have another look at https://review.openstack.org/#/c/188329/3	20:22
jamielennox	you just wanted a bug filed	20:23
jamielennox	the follow up patch has 2 +2s	20:23
morgan_503	zzzzzzzzz	20:23
*** morgan_503 is now known as morgan_404		20:23
morgan_404	so	20:24
morgan_404	now that I have coffee lunch ... and stuff	20:24
* morgan_404 looks at code reviews and email		20:24
*** bapalm_ has quit IRC		20:25
*** bapalm has joined #openstack-keystone		20:25
*** phalmos has joined #openstack-keystone		20:26
*** petertr7_away is now known as petertr7		20:29
*** bapalm has quit IRC		20:30
*** bapalm has joined #openstack-keystone		20:31
*** bapalm has quit IRC		20:35
htruta	henrynash: are you there?	20:36
*** opilotte has quit IRC		20:41
jamielennox	morgan_404: if you're looking for code reviews can you look at that one a few lines ago	20:42
jamielennox	a testing change in client-kerberos	20:42
jamielennox	but then i can merge the one that deps on it	20:42
morgan_404	jamielennox: i was looking at the split loading in keystoneauth	20:44
jamielennox	morgan_404: ah, that too	20:45
jamielennox	i think that ones ok, there's a follow up to move session loading over there as well which is correct but doesn't feel as right	20:45
morgan_404	yeah but both take real eyes	20:45
morgan_404	since it's a lot of shuffling things around	20:46
morgan_404	not just "oh yeah this is easy"	20:46
*** opilotte has joined #openstack-keystone		20:46
jamielennox	no, it's a pain	20:46
*** diazjf has quit IRC		20:48
*** ngupta has quit IRC		20:48
*** opilotte_ has joined #openstack-keystone		20:51
*** opilotte has quit IRC		20:54
*** opilotte has joined #openstack-keystone		20:55
*** opilotte has quit IRC		20:57
*** mylu has quit IRC		20:57
*** ig0r_ has quit IRC		20:58
morgan_404	jamielennox: so.. session loading going to punt on that one for a few	20:58
morgan_404	not sure how i feel about that one	20:58
morgan_404	it's not wrong... but you're right... it doesn't feel "right"	20:58
*** rdo has quit IRC		20:59
*** ankita_wagh has joined #openstack-keystone		21:00
morgan_404	jamielennox: whole chain(s) approved	21:00
stevemar	dolphm: poke	21:00
*** opilotte has joined #openstack-keystone		21:00
morgan_404	session loading, k2k plugin, and uhhhhh prompt for password	21:00
morgan_404	jamielennox: ^ not approved.	21:00
*** opilotte has quit IRC		21:00
jamielennox	in keystoneauth?	21:01
jamielennox	i thought i abandonded all those on client	21:01
jamielennox	or some	21:01
*** rdo has joined #openstack-keystone		21:01
*** opilotte has joined #openstack-keystone		21:01
stevemar	lbragstad: dstanek poke?	21:02
morgan_404	stevemar: poke bowl?	21:03
stevemar	morgan_404: i'll settle for you :P	21:04
*** morgan_404 is now known as morgan_410		21:04
stevemar	morgan_404: i was wondering if theres any logic behind this: https://developer.rackspace.com/blog/introducing-rack-global-cli/	21:04
morgan_410	¬_¬	21:04
stevemar	aside from stomping all over what osc is trying to do	21:04
*** morgan_410 is now known as morgan_404		21:05
morgan_404	stevemar: uhhh	21:05
stevemar	is it meant for just their public (or private) cloud, i forget which one isn't fully openstack friendly	21:05
morgan_404	stevemar: vendor lockin ?	21:05
morgan_404	the public cloud is not fully openstack, afaik the private cloud offerings are	21:05
morgan_404	i think it's 2-3 things	21:06
morgan_404	1) they control the UX	21:06
morgan_404	so the can smoothover the ick we may have in OSC/clients	21:06
morgan_404	2) mindshare (typing "rack" enforces it is rackspace vs "openstack")	21:07
*** petertr7 is now known as petertr7_away		21:07
stevemar	morgan_404: 1) help the project instead? 2) wtf	21:07
morgan_404	3) vendor lockin (see #2, while unsure if it was the intentional starting place)	21:07
stevemar	if it were to smooth over some weirdness that maybe the non-openstack APIs have, i get	21:08
stevemar	just want to see that in writing though	21:08
stevemar	AFAICT, it's pretty much just a go-ified version of osc	21:08
dstanek	stevemar:	21:08
stevemar	dstanek: refer to above ^	21:09
dstanek	stevemar: lbragstad and i were discussing websso flow earlier	21:09
dstanek	stevemar: no idea	21:09
stevemar	dstanek: whats up with websso? or just saying why you were both away?	21:10
dstanek	stevemar: i may have a question for you...	21:11
dstanek	stevemar: this seems wrong...but what i came up with bit.ly/1JaStaY	21:11
jamielennox	oo, rack cli :(	21:11
dstanek	stevemar: then i decided to make the mod_shib part more obvious and came up with bit.ly/1WgfrRV	21:12
dstanek	stevemar: now i have no idea what's happening between steps 7 and 8	21:12
jamielennox	but i mean not dealing with *client and python deps, i can kind of see why	21:12
dstanek	stevemar: unless the dashboard always frontends keystone	21:12
dstanek	looks like someone wanted to experiment with go	21:13
stevemar	jamielennox: i'd rather have seen folks helping the project instead of running off and creating and their own	21:13
stevemar	it's not like we turn down help	21:13
stevemar	now we're just going to have 2 projects that are lagging behind	21:14
*** gyee has joined #openstack-keystone		21:17
*** ChanServ sets mode: +v gyee		21:17
stevemar	this is really upsetting :\ seems like a great example of not working with the community	21:17
stevemar	hopefully i'm just mis-interpreting all of this, but it doesn't seem that way	21:18
*** phalmos has quit IRC		21:19
dstanek	yeah, i don't know why they would just up and write an osc clone	21:21
*** phalmos has joined #openstack-keystone		21:21
*** yottatsa has joined #openstack-keystone		21:21
dstanek	it would have been simpler to have a project that updates a user's bashrc to have 'alias rack=openstack" for the branding :-)	21:22
*** henrynash has quit IRC		21:25
*** raildo is now known as raildo-afk		21:26
*** henrynash has joined #openstack-keystone		21:28
*** ChanServ sets mode: +v henrynash		21:28
stevemar	dstanek: steps 7 and 8 eh	21:31
*** rdo has quit IRC		21:31
*** rdo has joined #openstack-keystone		21:33
openstackgerrit	guang-yee proposed openstack/keystone: Validate domain ownership for v2 tokens https://review.openstack.org/208069	21:40
*** alejandrito has quit IRC		21:41
*** yottatsa has quit IRC		21:41
*** bapalm has joined #openstack-keystone		21:42
gyee	morgan_404, dolphm, I just updated the commit msg on https://review.openstack.org/208069 to include the bug on the v2 token request	21:43
gyee	I am going to approve it as only the commit msg has changed	21:43
gyee	yell if you guys have a problem with this	21:43
jamielennox	stevemar, dstanek: right, they could have done some interesting things with branding like force set all the correct API versions, force set the correct auth_urls etc that make OSC more difficult	21:45
*** nkinder has quit IRC		21:46
stevemar	jamielennox: apparently the single binary package was a hard requirement	21:46
dstanek	stevemar: dumb requirement if the install instructions have you use go to install	21:48
jamielennox	binary is tough there, they could have vendored the clients	21:48
jamielennox	but python isn't good for that stuff	21:48
stevemar	dstanek: jamielennox and the ability to only provide non-admin commands	21:48
jamielennox	right, it wouldn't be a difficult fork	21:49
*** bapalm has quit IRC		21:49
stevemar	but that shouldnt be hard to change the entrypoints of setup.cfg to fix	21:49
stevemar	right	21:49
* stevemar shakes head		21:49
stevemar	i dunno	21:49
*** bapalm has joined #openstack-keystone		21:49
stevemar	dstanek: going offline, email me if you have websso questions	21:51
jamielennox	unrelated: i need a coffee, but can i get people to have a look at https://review.openstack.org/#/c/188329/	21:51
jamielennox	stevemar: oo	21:51
jamielennox	i did have one that i thought marekd was going to have to answer	21:51
jamielennox	is it possible to do websso without going via keystone for the first hop	21:51
jamielennox	chadwick was suggesting we could redirect from horizon to the idp login page and set the keystone url as the return	21:52
jamielennox	i was under the impression we couldn't do that, we had to go horizon to keystone then to idp	21:52
stevemar	jamielennox: horizon to keystone is the only way that makes sense to me, unless you want to store stuff in horizon	21:52
stevemar	jamielennox: we're not even going to "keystone" we're going to a protected URL	21:52
jamielennox	stevemar: his suggestion did involve horizon knowing the idp login url	21:53
jamielennox	stevemar: right, but the redirect is initiated from keystone	21:53
stevemar	jamielennox: so whats the advantage we get?	21:53
stevemar	one less hop on something that is already a stupid amount of hops	21:53
*** henrynash has quit IRC		21:53
jamielennox	stevemar: it was the debate about whether we should do idp specific websso that has gone on way too long	21:53
*** henrynash has joined #openstack-keystone		21:54
*** ChanServ sets mode: +v henrynash		21:54
jamielennox	and listing idps	21:54
marekd	jamielennox: hard question you ask	21:54
jamielennox	he was saying the idp login url would be added to keystone idp data and that horizon wouuld go straight there	21:54
stevemar	if rax is fine with listing all their idps then i'm okay with it too	21:54
jamielennox	ignoring the hops and whether it's a good idea to expose idp login urls like that (because you have to double handle the url, once in apache and once in keystone)	21:55
jamielennox	i was just wondering if it's possible	21:55
marekd	jamielennox: stevemar i think there is a way to skip firrst pass to keystone.	21:55
jamielennox	i thought apache set up like a CSRF style thing on that first request that was part of it	21:55
stevemar	jamielennox: i'm not even sure if it's possible tbh	21:55
marekd	but horizon would need to keep lots of info on idp, or use somethink like DisoFeed i linked today	21:56
jamielennox	IMO it's passing too much protocol knowledge to django_openstack_auth, i just want to know if it's doable	21:56
*** bapalm has quit IRC		21:56
jamielennox	marekd: chadwick's suggestion was it be included in the idp data so it was available when you listed them	21:57
*** bapalm has joined #openstack-keystone		21:57
*** Raildo has joined #openstack-keystone		21:57
marekd	jamielennox: idp data fetched from keystone?	21:57
marekd	so the way the DS works it basically redirect to the IdP with three GET parameters so IdP knows where to get back - return, target and something else.	21:59
stevemar	bbiab	21:59
*** stevemar has quit IRC		21:59
marekd	jamielennox: but i am not super sure if there is no signed request involved there.	21:59
marekd	i'd need to investigate	21:59
*** Raildo has quit IRC		21:59
*** stevemar has joined #openstack-keystone		22:00
marekd	i will probably have to sit and tcpdump all the trafick and decrypt everything request by request.	22:00
*** ChanServ sets mode: +v stevemar		22:00
marekd	jamielennox: you may try to play/read/understand this: https://github.com/ucldc/js-embedded-discovery to get better view	22:01
jamielennox	marekd: the problem with DS is that i don't think it works the same way in mellon, i want a solution that doesn't require a provider to implement there own discovery page, it works differently for OIDC and others in future, it requires exposing IDPs via protocol in horizon, i don't see how it works for kerberos or like ssl client certs	22:02
dstanek	stevemar: no specific questions...i just need to read a little more about how it might work using horizon	22:02
dstanek	marekd: you;re up late?	22:02
marekd	dstanek: midnight or something so i wont; be here long.	22:02
jamielennox	anyway, i need a coffee, back later	22:03
*** stevemar has quit IRC		22:03
dstanek	marekd: : lbragstad and i were talking websso and this seems wrong...but what i came up with bit.ly/1JaStaY	22:03
jamielennox	marekd: can you have a look at https://review.openstack.org/#/c/188329/ i want to get the reliant one merged	22:03
*** dguerri` is now known as dguerri		22:03
marekd	jamielennox: so propose your spec as exception	22:03
dstanek	marekd: the i tried bit.ly/1WgfrRV to show how mod_shib does the redirects and now i have no idea how horizon gets a token	22:03
marekd	i m not trying to block anything	22:04
jamielennox	marekd: i don't care if it's exception or next cycle	22:04
jamielennox	this isn't a day job issue, just something i think is wrong	22:04
marekd	jamielennox: and i don't think this form of discovery service will work for ssl or kerberos.	22:04
marekd	jamielennox: all right, understood	22:04
marekd	dstanek: sure	22:05
dstanek	marekd: we can discuss tomorrow, just looking to see how off base i am	22:05
dstanek	marekd: was planning on reading more on websso tonight anyway	22:05
*** narengan has quit IRC		22:06
*** narengan has joined #openstack-keystone		22:06
lbragstad	dstanek: marekd I guess we're just trying to come up with a flow that works with what jamielennox proposed and essentially the public cloud case that was brought up on the mailing list	22:06
morgan_404	gyee: back now.	22:07
morgan_404	gyee: sorry got distracted with coffee tasting	22:07
lbragstad	or, actually, who does what and when	22:07
marekd	dstanek: so let's discuss this bit.ly/1WgfrRV, ok ?	22:10
dstanek	marekd: shore	22:11
*** bapalm has quit IRC		22:11
marekd	it's minor but step 4 is handled by mod_shib, not Keystone SP (which i assume is already real Python code)	22:11
*** narengan has quit IRC		22:11
dstanek	marekd: s/user/browser/ in the diagram	22:11
*** bapalm has joined #openstack-keystone		22:11
marekd	dstanek: it's the same eventually :-)	22:11
*** jecarey has quit IRC		22:12
dstanek	marekd: actually step 4 should be from mod_shib to user - i musta borked the diagram there	22:12
*** r-daneel has quit IRC		22:12
marekd	dstanek: that's what i just said :-)	22:12
marekd	but it's minor :-)	22:12
marekd	next	22:13
marekd	next	22:13
marekd	there is a ? between step 7 and 8	22:13
marekd	when an unscoped token is returned by server ot user	22:13
dstanek	yeah,7-8 is where i am clueless	22:13
marekd	so, this is done by keystone, python code.	22:13
dstanek	actully 7 is correct and then request goes from mod_shib into Python right?	22:14
marekd	yes, all the mapping magic and sstuff	22:14
dstanek	then that token goes back to the browser?	22:15
marekd	since you are logged in, session is active, the gatekeeper (mod_shib) will eventually let you in, and here is where Keystone code is being touched for the first time.	22:15
marekd	dstanek: no	22:15
marekd	we need to transfer token back to dashboard.	22:15
*** doug-fish has left #openstack-keystone		22:15
*** claudiub has joined #openstack-keystone		22:15
dstanek	how would it get there is not sent to the browser so that it could give it to horizon via a form or something?	22:16
marekd	so what we do is we return a <html> form with a <form> where we actually keep a token and JS load that redirects us to horizon...scary, huh?	22:16
marekd	dstanek: let me link the code	22:16
*** bapalm has quit IRC		22:16
dstanek	marekd: ok, so it does go back to the browser then	22:16
marekd	dstanek: https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L299 and https://github.com/openstack/keystone/blob/master/etc/sso_callback_template.html	22:17
*** edmondsw has quit IRC		22:17
marekd	dstanek: ok, it goes to browser (everything goes through browser), but as HTTP 302	22:17
marekd	and browser gets back to dashboard with the token.	22:18
lbragstad	so step 7 just goes straight to Keystone Service Provider	22:18
marekd	lbragstad: no	22:19
marekd	it's saml	22:19
marekd	so it's sib	22:19
marekd	keysetone doesn't know anything about any potocol.	22:19
lbragstad	but shib does something with the Keystone SErvice provider to finish getting the unscoped token	22:19
marekd	step ? between 7 and 8 goes FROM Keystone Service Provider	22:19
dstanek	marekd: so more like bit.ly/1hwrY3n	22:19
lbragstad	that looks better	22:20
marekd	lbragstad: so, it opens a session, and says 'hey client, you are authenticated, you can go in' which means in practice that you start running python code, do the mapping and stuff	22:20
lbragstad	oh	22:20
marekd	dstanek: yes	22:21
dstanek	ok, i think i have now mastered the federations	22:21
marekd	dstanek: yay	22:21
dstanek	marekd: yay, if it were true	22:22
marekd	dstanek: at least your charts look awesome :-0	22:22
lbragstad	but some of that flow doesn't exist yet	22:22
marekd	lbragstad: which one?	22:22
lbragstad	s/yet/yet?/	22:22
marekd	lbragstad: what does not exist is the route /v3/OS-FEDERATION/identity_providers/.... compatible with browsers	22:23
dstanek	marekd: websse with ipd_id	22:23
lbragstad	I thought that was based on the fact that jamielennox wanted to implement that path	22:23
marekd	lbragstad: yes	22:23
lbragstad	so /v3/OS-FEDERATION/identity_providers/{idp_id}/protocol/{protocol_id}/websso needs to be implemented in Keystone	22:24
marekd	don't have to be websso suffix	22:24
lbragstad	and that's the missing piece as far as keystone is concerned (excluding the discovery page)	22:24
marekd	we can reuse old existing routes and check http headers	22:24
*** bapalm has joined #openstack-keystone		22:24
marekd	whether it's content-type is application/json (then return pure json as we do with cli today) otherwise return our html form.	22:25
dstanek	marekd: that's a really great idea	22:25
marekd	i hope you are not being sarcastic now :-)	22:25
dstanek	marekd: ha, no.	22:26
marekd	so rackspace is goilg to be ok to list all federated idps ?	22:26
lbragstad	marekd: no, we get around that by having the Coke Customer Dashboard part	22:27
marekd	lbragstad: neat	22:27
lbragstad	marekd: I think dstanek collapsed the Coke Dashboard and Horizon into the same entity in that diagram	22:28
marekd	then having multiple sso routes makes sense to me	22:28
marekd	as i call it 'many two-peer federations'	22:28
marekd	which is probably not very popoular :-)	22:28
dstanek	so really we can just can controllers.Auth.federated_authentication and dispatch based on content type	22:29
lbragstad	marekd: so, because the customer (user) is coming from Coke Dashbaord, Horizon should now which IdP they belong to	22:29
dstanek	lbragstad: are you thinking that the code dashboard would only be the first hit? instead of branding the entire thing?	22:30
marekd	lbragstad: i thnk it will rather work "becausre use hits this particular url" he must want to use Coke IdP.	22:30
marekd	dstanek: pretty much that;s all we need to do + all this origin parameter validation	22:31
marekd	dstanek: and similar stuff	22:31
lbragstad	dstanek: marekd it would be these bits, right? https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L314-L317	22:31
marekd	lbragstad: without DS that would be configure in Shib : "URL /v3/OS-FEDERATION/idp/COKE/protocols/saml2/auth" -> redirect to coke idp "	22:32
dstanek	lbragstad: i think this is the existing controller method -> https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L280	22:33
lbragstad	dstanek: correct,	22:33
dstanek	lbragstad: we'd do the ssl logic it that's hit the a text/html content type	22:33
dstanek	lbragstad: so, yes Horizon (or apache rule in front of it) will have to translate openstack.coke.com to /OS-FED.../coke/../SAML/.../blah	22:34
marekd	dstanek: correct	22:34
lbragstad	dstanek: and the Horizon you're talking about is the Service Provider's Horizon	22:34
*** phalmos has quit IRC		22:34
marekd	cokes horizon	22:35
dstanek	what marekd said	22:35
dstanek	specifically whatever listens on openstack.coke.com	22:36
marekd	dstanek: ++	22:36
morgan_404	dolphm: this is quite interesting: http://smalltownbrewery.com/our-beers/	22:36
lbragstad	so, the service provider's horizon doesn't get involved until step 10?	22:36
morgan_404	"not your father's root beer"	22:36
marekd	lbragstad: there is no rackspace horizon capabl of federation :-)	22:36
marekd	that's my understanding of your idea	22:36
dstanek	what is the service provider's horizon?	22:37
marekd	dstanek: the one provided by rackspace	22:37
marekd	i think	22:37
marekd	openstack.rackspace.com	22:37
lbragstad	yeah, that's what I was thinking,	22:37
dstanek	why isn't code just using openstack.coke.com?	22:38
marekd	lbragstad: so i think the new idea tailored for you is "instead of provifing one webpage where users choose their idps, let's integrate their horizons so they know what idp to choose"	22:38
lbragstad	ok	22:38
dstanek	lbragstad: i was thinking openstack.coke.com was a CNAME (or something like it) to openstack.rackspace.com	22:39
marekd	so, when i go to openstack.coke.com (i keep typing code instead of coke, what's wrong with me) everybody will know i am coke's user	22:39
dstanek	are you thinking it's private cloud dashboard?	22:39
lbragstad	openstack.coke.com is a private cloud dashboard, right?	22:39
*** gordc has quit IRC		22:40
lbragstad	and from there you want to federate to some public cloud	22:40
marekd	so ok, now even i am lost :P	22:40
dstanek	if openstack.coke.com were their private cloud dashboard they wouldn't need federation to use their own AD/LDAP/whatever	22:41
dstanek	that only comes in to play with then using the public dashboard and wanting to use their IdP right?	22:41
lbragstad	yes, makes sense..	22:41
marekd	dstanek: they may want to use their private dashboard to browser resources of a public cloud (federated with them)	22:41
lbragstad	sorry i'm lost in the weeds	22:42
*** bapalm has quit IRC		22:42
dstanek	marekd: wouldn't that be k2k between the clouds?	22:42
*** bapalm has joined #openstack-keystone		22:42
marekd	dstanek: dont think so.	22:43
dstanek	i see this is going in circles - two distinct usecases with the same solution	22:43
marekd	dstanek: does horizon have some static conf regarding other services?	22:44
marekd	lhcheng: ^^	22:44
marekd	probably yes	22:44
marekd	i am sure it has	22:44
marekd	dstanek: so no, it must be rackspace dashboard for everyone, sorry i errored you, lbragstad	22:44
lhcheng	marekd: horizon pulls the endpoint of other services from the service catalog	22:46
marekd	lhcheng: yes, but when i type my user/pas it must know auth_url	22:46
marekd	before i do anything...	22:46
lhcheng	marekd: ah yes	22:46
marekd	as at first i am unauthentcated user.	22:46
*** bapalm has quit IRC		22:47
lhcheng	marekd: that is configured in the local_settings.py, you can setup multiple keystone endpoints too	22:47
lhcheng	marekd: somewhere in : https://github.com/openstack/horizon/blob/master/openstack_dashboard/local/local_settings.py.example#L154	22:48
marekd	lhcheng: wait, so let's say horizon is configured to work with auth_url X and suddently a token w/ its service catalog has auth_url Y . Will horizon start servig requests to/from that other cloud?	22:48
marekd	i will start seeing VMs from another cloud?	22:49
marekd	ok i need to log out	22:51
lhcheng	marekd: yes, it will try to send the request to Y keystone endpoint for the identity operations.	22:51
lbragstad	marekd: thanks for the help	22:51
marekd	i will thing about your use case, dstanek/lbragstad	22:51
marekd	lbragstad: no problemo	22:51
marekd	good night!	22:51
lbragstad	marekd: later!	22:51
dstanek	marekd: night	22:51
lhcheng	marekd: good night	22:52
*** henrynash has quit IRC		22:52
openstackgerrit	Merged openstack/keystoneauth: Import service catalog tests from keystoneclient https://review.openstack.org/210266	22:55
openstackgerrit	Merged openstack/keystoneauth: Allow searching a catalog on service or endpoint id https://review.openstack.org/210267	22:55
*** jsavak has quit IRC		23:01
*** dguerri is now known as dguerri`		23:06
*** zzzeek has quit IRC		23:12
*** sigmavirus24 is now known as sigmavirus24_awa		23:15
*** elmiko has quit IRC		23:23
*** marzif has joined #openstack-keystone		23:26
*** morgan_404 has quit IRC		23:29
*** morganfainberg has joined #openstack-keystone		23:31
*** ChanServ sets mode: +v morganfainberg		23:31
*** morganfainberg is now known as morgan_404		23:32
morgan_404	...	23:32
*** ChanServ sets mode: +o morgan_404		23:37
*** morgan_404 changes topic to "Review code, feature freeze is rapidly approaching."		23:38
dstanek	morgan_404: Not Found	23:41
*** rm_work is now known as rm_work\|away		23:46
morgan_404	Better than 410 - gone	23:47
*** alejandrito has joined #openstack-keystone		23:57
*** david-lyle has quit IRC		23:58
*** david-lyle has joined #openstack-keystone		23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!